V-4582 | High | The network device must require authentication for console access. | Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to... |
V-3056 | High | Group accounts must not be configured for use on the network device. | Group accounts configured for use on a network device do not allow for accountability or repudiation of individuals using the shared account. If group accounts are not changed when someone leaves... |
V-15434 | High | The emergency administration account must be set to an appropriate authorization level to perform necessary administrative functions when the authentication server is not online. | The emergency administration account is to be configured as a local account on the network devices. It is to be used only when the authentication server is offline or not reachable via the... |
V-3012 | High | Network devices must be password protected. | Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Access to the network must be categorized as administrator, user,... |
V-3210 | High | The network device must not use the default or well-known SNMP community strings public and private. | Network devices may be distributed by the vendor pre-configured with an SNMP agent using the well-known SNMP community strings public for read only and private for read and write authorization. An... |
V-3143 | High | Network devices must not have any default manufacturer passwords. | Network devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing network outage or denial of... |
V-3175 | High | The network device must require authentication prior to establishing a management connection for administrative access. | Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling... |
V-3196 | High | The network device must use SNMP Version 3 Security Model with FIPS 140-2 validated cryptography for any SNMP agent configured on the device. | SNMP Versions 1 and 2 are not considered secure. Without the strong authentication and privacy that is provided by the SNMP Version 3 User-based Security Model (USM), an unauthorized user can gain... |
V-3069 | Medium | Management connections to a network device must be established using secure protocols with FIPS 140-2 validated cryptographic modules. | Administration and management connections performed across a network are inherently dangerous because anyone with a packet sniffer and access to the right LAN segment can acquire the network... |
V-14671 | Medium | Network devices must authenticate all NTP messages received from NTP servers and peers. | Since NTP is used to ensure accurate log file time stamp information, NTP could pose a security risk if a malicious user were able to falsify NTP information. To launch an attack on the NTP... |
V-14717 | Medium | The network device must not allow SSH Version 1 to be used for administrative access. | SSH Version 1 is a protocol that has never been defined in a standard. Since SSH-1 has inherent design flaws which make it vulnerable to attacks, e.g., man-in-the-middle attacks, it is now... |
V-92241 | Medium | DoD Components providing guest WLAN access (Internet access only) must use separate WLAN or logical segmentation of the enterprise WLAN (e.g., separate service set identifier (SSID) and virtual LAN) or DoD network. | The purpose of the Guest WLAN network is to provide WLAN services to authorized site guests. Guests, by definition, are not authorized access to the enterprise network. If the guest WLAN is not... |
V-3057 | Medium | Authorized accounts must be assigned the least privilege level necessary to perform assigned duties. | By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personnel are trained or experienced enough to use those... |
V-3160 | Medium | Network devices must be running a current and supported operating system with all IAVMs addressed. | Network devices not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps... |
V-15432 | Medium | Network devices must use two or more authentication servers for the purpose of granting administrative access. | The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the routers in... |
V-3013 | Medium | Network devices must display the DoD-approved logon banner warning. | All network devices must present a DoD-approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear... |
V-3014 | Medium | The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled between the managed network... |
V-3969 | Medium | Network devices must only allow SNMP read-only access. | Enabling write access to the device via SNMP provides a mechanism that can be exploited by an attacker to set configuration variables that can disrupt network operations. |
V-28784 | Medium | A service or feature that calls home to the vendor must be disabled. | Call home services or features will routinely send data such as configuration and diagnostic information to the vendor for routine or emergency analysis and troubleshooting. The risk that... |
V-25316 | Medium | The password configured on the WLAN Access Point for key generation and client access must be set to a 14 character or longer complex password as required by USCYBERCOM CTO 07-15Rev1. | If the organization does not use a strong passcode for client access, then it is significantly more likely that an adversary will be able to obtain it. Once this occurs, the adversary may be able... |
V-3967 | Medium | The network devices must time out access to the console port at 10 minutes or less of inactivity. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
V-3966 | Medium | In the event the authentication server is unavailable, the network device must have a single local account of last resort defined. | Authentication for administrative access to the device is required at all times. A single account of last resort can be created on the device's local database for use in an emergency such as when... |
V-17821 | Medium | The network devices OOBM interface must be configured with an OOBM network address. | The OOBM access switch will connect to the management interface of the managed network device. The management interface of the managed network device will be directly connected to the OOBM... |
V-17822 | Medium | The network devices management interface must be configured with both an ingress and egress ACL. | The OOBM access switch will connect to the management interface of the managed network device. The management interface can be a true OOBM interface or a standard interface functioning as the... |
V-14888 | Medium | The WLAN inactive session timeout must be set for 30 minutes or less. | A WLAN session that never terminates due to inactivity may allow an opening for an adversary to highjack the session to obtain access to the network. |
V-92237 | Medium | WLAN components must be FIPS 140-2 certified. | If the DoD WLAN components (WLAN AP, controller, or client) are not NIST FIPS 140-2 (Cryptographic Module Validation Program – CMVP) certified, the WLAN system may not adequately protect sensitive... |
V-25315 | Medium | WLAN access point must be configured for Wi-Fi Alliance WPA2 security. | The Wi-Fi Alliance’s WPA2 certification provides assurance that the device has adequate security functionality and can implement the IEEE 802.11i standard for robust security networks. The... |
V-92239 | Medium | WLAN components must be Wi-Fi Alliance certified with WPA2 or WPA3. | |
V-5613 | Medium | The network device must be configured for a maximum number of unsuccessful SSH logon attempts set at 3 before resetting the interface. | An attacker may attempt to connect to the device using SSH by guessing the authentication method and authentication key or shared secret. Setting the authentication retry to 3 or less strengthens... |
V-5611 | Medium | The network devices must only allow management connections for administrative access from hosts residing in the management network. | Remote administration is inherently dangerous because anyone with a sniffer and access to the right LAN segment could acquire the device account and password information. With this intercepted... |
V-3058 | Medium | Unauthorized accounts must not be configured for access to the network device. | A malicious user attempting to gain access to the network device may compromise an account that may be unauthorized for use. The unauthorized account may be a temporary or inactive account that... |
V-23747 | Low | Network devices must use at least two NTP servers to synchronize time. | Without synchronized time, accurately correlating information between devices becomes difficult, if not impossible. If logs cannot be successfully compared between each of the routers, switches,... |
V-14846 | Low | WLAN SSIDs must be changed from the manufacturer’s default to a pseudo random word that does not identify the unit, base, organization, etc. | An SSID identifying the unit, site or purpose of the WLAN or is set to the manufacturer default may cause an OPSEC vulnerability. |
V-7011 | Low | The auxiliary port must be disabled unless it is connected to a secured modem providing encryption and authentication. | The use of POTS lines to modems connecting to network devices provides clear text of authentication traffic over commercial circuits that could be captured and used to compromise the network. ... |
V-14889 | Low | WLAN signals must not be intercepted outside areas authorized for WLAN access. | Vulnerability Discussion: Most commercially-available WLAN equipment is pre-configured for signal power appropriate to most applications of the WLAN equipment. In some cases, this may permit the... |
V-3070 | Low | Network devices must log all attempts to establish a management connection for administrative access. | Audit logs are necessary to provide a trail of evidence in case the network is compromised. Without an audit trail that provides a when, where, who and how set of information, repeat offenders... |